Mass mailing with elements of targeted spam

[Man]

Mass malicious mailings are usually quite primitive and not very diverse - all the content fits into a few sentences, in which the user is offered to download an archive allegedly with some urgent bills or unpaid fines. The letters may not have signatures or logos, and the text may contain spelling and other errors. Such mailings can be aimed at both users and large companies, the differences in them are not particularly significant.

Example of a letter from a mass malicious mailing

But recently the situation has begun to change: attackers have begun to use techniques typical of targeted attacks in mass mailings. In particular, they send letters on behalf of existing companies, copying the style of the letter and the signature of the sender.

Letter from a "client" with a surprise​

Not long ago, we found an interesting letter. In it, a supposed potential client from Malaysia asks the recipient in rather strange English to familiarize themselves with the requirements of the client company and return to them with the necessary documents. The general design of the letter corresponds to corporate correspondence standards - there is a logo of a real company, a signature indicating information about the sender. In general, the request looks legitimate, and the language errors can easily be attributed to the fact that the representative of the client company is not a native English speaker.

Email with malicious attachment allegedly from potential customer in Malaysia

The only thing that is confusing about this letter is the sender's address <newsletter@trade***.com>: the name newsletter is usually used for sending out news, not for correspondence on purchases. In addition, the sender's domain does not match the company name indicated on the logo.

In another letter, a supposed client from Bulgaria wants to check with the seller whether the desired product is in stock and to discuss the details of the sale. As in the previous letter, the list of products he is interested in is allegedly in the attachment. However, again, the only doubt that can be raised is the sender's address, which is not on a Bulgarian domain, but on a Greek domain, which is in no way connected with the company that the scammers pretend to be.

Email with malicious attachment allegedly from potential client in Bulgaria

What unites these emails is not only a similar mailing scenario and the fact that their content does not resemble automatically generated ones. Having studied the email headers, we found out that they have the same structure: the sequence of headers, the format of the MSGID message identifier, and the email client are the same. In addition, the emails come from a limited set of IP addresses. This means that they are part of one large malicious email campaign.

Comparison of email headers of two malicious emails

Unlike IP addresses and headers, the content of the letters is quite variable. The attackers send out a malicious archive on behalf of many different companies, and the text of the "request" to the victim changes. That is, the authors of the mailing paid a lot of attention to preparation, which is not typical for such mass campaigns.

Statistics​

From April to August, our solutions detected 739,749 emails related to this campaign. The campaign peaked in June, when we detected 194,100 emails, and then began to decline: in July, we detected 178,510 emails, and in August, we detected 104,991 emails.

Payload: Agensla (Agent Tesla) malware​

We analyzed the contents of the archives from the spam emails and found that they contain one of two unique files belonging to the same family. This is the widespread Agent Tesla malware, written in .NET and known since 2014. Its main goal is to obtain passwords saved in browsers and other applications and send them to the attacker. Most often, the malware sends data via email, but there are also versions that send them to a private chat in Telegram, to a website created by the attacker, or to an FTP server. The current mailing is distributing one of the latest versions of Agent Tesla, which can extract data from the following applications:

• Browsers: Chrome, Edge, Firefox, Opera, 360 Browser, 7Star, Amigo, Brave, CentBrowser, Chedot, Chromium, Citrio, Cốc Cốc, Comodo Dragon, CoolNovo, Coowon, Elements Browser, Epic Privacy, Iridium Browser, Kometa, Liebao Browser, Orbitum, QIP Surf, Sleipnir 6, Sputnik, Torch Browser, Uran, Vivaldi, Yandex.Browser, QQ Browser, Cyberfox, IceDragon, Pale Moon, SeaMonkey, Waterfox, IceCat, K-Meleon.
• Mail clients: Becky!, Opera Mail, Foxmail, Thunderbird, Claws, Outlook, The Bat!, eM Client, Mailbird, IncrediMail, Postbox, Pocomail.
• FTP/SCP clients: WinSCP, WS_FTP, FTPGetter, SmartFTP, FTP Navigator, Core FTP.
• Databases: MySQL Workbench.
• Remote administration clients: RealVNC, TightVNC, TigerVNC, UltraVNC, Windows RDP, cFTP.
• VPN: NordVPN, OpenVPN.
• Messengers: Psi/Psi+, Trillian.

Agent Tesla can also take screenshots, intercept the clipboard, and record keystrokes.

Conclusion​

The detected mailing clearly shows that attackers can carefully prepare even mass attacks. The letters that we analyzed are high-quality fakes of business proposals from real companies. The spam mailing is only given away by the inappropriate sender address. It is highly likely that these letters were composed and sent manually, while our solutions detected more than a hundred thousand such letters per month, and the mailing targets were organizations all over the world.

As a payload, the attackers deliver malware capable of stealing credentials from an impressive list of applications. This information can then be put up for sale on dark web forums and used in targeted attacks on organizations. It is worth noting that Agent Tesla is a well-known stealer that detects most security solutions.

Source